b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n      National Institute of Standards\n                     and Technology\n\n         FY 2009 FISMA Assessment of\n      Application Systems and Databases\n                          (NIST 183-06)\n\n     Final Inspection Report No. OSE-19512/August 2009\n\n\n\n\n                             Office of Audit and Evaluation\n\x0c                                           UNITEO STATES OEPARTMENT OF COMMERCE\n                                           Office of Inspector General\n                                           Washington. 0 C 20230\n\n\n\n\n   AUG -7 2009\n\n\nMEMORANDUM FOR:\t Dr. Patrick Gallagher\n                 Deputy Director\n                 National Institute of Standards and Technology\n\n\n\nFROM:\n                                 ~~~\n                             Allen Crawley\n                             Assistant Inspector General\n                              for Systems Acquisition and IT Security\n\nSUBJECT:\t                    National Institute of Standards and Technology\n                             FY 2009 FISMA Assessment ofApplication Systems and\n                             Databases (NIST 183-06)\n                             Final Inspection Report No. OSE-19512\n\nThis report presents the results of our Federal Information Security Management Act\n(FISMA) review ofNIST\'s certification and accreditation of the Application Systems and\nDatabases (ASD) system.\n\nWe found that NIST\'s C&A process provided the authorizing official sufficient\ninformation to make a credible risk-based decision to approve system operation. In the\nreport, we note the need for minor improvements in security planning, secure\nconfiguration settings, and security control assessments. Our assessment of ASD security\ncontrols found vulnerabilities requiring remediation.\n\nIn its response to our draft report, NIST concurred with our findings and\nrecommendations with several exceptions related to specific details. The response is\nsummarized in the appropriate sections of the report where we also address the minor\npoints of disagreement. NIST\'s response is included in its entirety as appendix C.\n\nWe request that you provide us with an action plan describing the actions you have taken\nor plan to take in response to our recommendations within 60 calendar days of the date of\nthis report. A plan of action and milestones should be used to communicate the plan as\nrequired by FISMA.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our\nevaluation. If you would like to discuss any of the issues raised in this report, please call\nme at (202) 482-1855.\n\x0cAttachment\n\ncc:\t   Suzanne Hilding, chief information officer, u.S. Department of Commerce\n       Simon Szykman, chief information officer, NIST\n       L. Dale Little, chief, Applications Systems Division, NIST\n       Kenneth R. Glenn, chief, Information Technology Security and Networking\n           Division, NIST\n\x0c                     OIG FY 2009 FISMA Assessment\n\n\nListing of Abbreviated Terms & Acronyms\n\n\nASD           Application Systems and Databases\nC&A           Certification and Accreditation\nCGI           Common Gateway Interface\nCOTS          Commercial off-the-shelf\nCSAM          Cyber Security Assessment and Management\nDISA          Defense Information Systems Agency\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act of 2002\n\n\nIT            Information Technology\nITSO          Information Technology Security Officer\nNIST          National Institute of Standards and Technology\nOCIO          Office of the Chief Information Officer\nOIG           Office of Inspector General\nOS            Operating System\nPOA&M         Plan of Action & Milestones\nSSO           System Security Officer\nSSP           System Security Plan\nSQL           Structured Query Language\n\n\n\n\n                                  Page 1\n\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\n\nSynopsis of Findings\n\n    \xe2\x80\xa2   Revised system security plan was generally adequate, but security planning process\n        needs improvement.\n\n    \xe2\x80\xa2   Secure configuration settings were not established for all IT products.\n\n    \xe2\x80\xa2   Control assessments produced reliable information for assessing risk, but some\n        minor improvements are needed.\n\n    \xe2\x80\xa2   OIG assessments found vulnerabilities requiring remediation.\n\nConclusion\n\n    \xe2\x80\xa2   While there were deficiencies with security planning prior to the certification phase,\n        NIST\xe2\x80\x99s certification and accreditation process, in particular its assessment of security\n        controls, produced sufficient information for the authorizing official to make a credible,\n        risk-based decision to approve system operation. NIST should address the minor\n        deficiencies we identified as part of its continuous monitoring of system security.\n\n\n\nSummary of NIST Response\n\nIn its response to our draft report, NIST concurred with our findings and recommendations with\nseveral exceptions on select points in our report. It did not concur with the part of our finding\nthat noted the security plan had been written by the certification team. NIST also did not concur\nwith our security control assessment finding that there was insufficient disk space for\nlogs. And it did not concur with one of our examples of deficiencies with the NIST certification\nteam\xe2\x80\x99s security control assessment.\n\nOne of NIST\xe2\x80\x99s remarks with respect to custom secure configuration checklists for\nsuggests its disagreement, in part, with our recommendation that NIST establish secure\nsettings for all IT products in the system. And NIST\xe2\x80\x99s remarks on two items in our tables were\nnon-responsive to the deficiencies we identified.\n\nNIST also described actions it has taken or plans to take to address our recommendations.\n\nNIST\xe2\x80\x99s written response is included in its entirety as appendix C of this report.\n\nOIG Comments\n\nNIST generally concurred with our findings and recommendations. We address several specific\ndisagreements in the applicable sections of the report.\n\n\n\n\n                                             Page 2\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\n\nIntroduction\n\n The Application Systems and Databases system (ASD) consists solely of software. The\n system includes database containers, database management systems, and web application\n servers that support other NIST systems. ASD also includes applications that provide data\n object translation, data warehousing, and report generation capabilities. The hardware and\n associated operating systems hosting ASD software are not in the accreditation boundary\n and instead included in other NIST systems.\n\n NIST has categorized ASD as a\n                                                                                           .\n\n NIST initiated the certification and accreditation process in August 2007. Certification was\n completed in late December 2007 and, after an internal quality assurance and management\n review, the CIO authorized system operation on May 11, 2008.\n\n\n\n\n                                          Page 3\n\x0c                                 OIG FY 2009 FISMA Assessment\n\nFindings and Recommendations\n\n 1. Revised System Security Plan Was Generally Adequate, but Security\n    Planning Process Needs Improvement\n  NIST first developed a single security plan for certifying and accrediting ASD. This initial\n  plan covered the \xe2\x80\x9cparent\xe2\x80\x9d system only, consisting primarily of          products. NIST\n  ultimately prepared three security plans for this system\xe2\x80\x99s accreditation\xe2\x80\x94one for the parent\n  system, and two subsystem plans for an application server and reporting tools.\n\n  \xe2\x80\xa2   The initial system security plan did not fully address controls for the parent system and\n      omitted subsystems altogether.\n        o The initial security plan did not include major software components:\n\n        o   No control enhancements required for the system were described.\n        o   Many control descriptions were deficient. (See table 1.)\n              \xc2\x83 Several controls were not accurately or completely described.\n              \xc2\x83 Several controls for an application               were not described.\n              \xc2\x83 Common and hybrid controls were not correctly identified.\n        o   Despite these deficiencies, the senior agency information security officer and the\n            authorizing official formally accepted the initial security plan indicating the set of\n            controls described \xe2\x80\x9cmeets the security requirements for the system,\xe2\x80\x9d and gave\n            approval for the C&A \xe2\x80\x9cprocess to begin.\xe2\x80\x9d NIST then began security certification\n            activities.\n        o   A hardware server was removed from the accreditation boundary sometime\n            during the security certification (system now consists of software only).\n              \xc2\x83 NIST SP 800-37, Guide for the Security Certification and Accreditation of\n                    Federal Information Systems, calls for accreditation boundaries to be\n                    established before the certification phase begins.\n\n  \xe2\x80\xa2    Along with assessing controls, NIST certification team members rewrote the parent\n       security plan and created new subsystem security plans that served as the basis for\n       the accreditation decision.\n         o NIST told us that the system security officer and other administrators participated\n            in the development of the final plans. However, the certification team\xe2\x80\x99s authorship\n            of the security plans raises the possibility that security control requirements were\n            solely based on security settings and implementations discovered during control\n            assessments rather than a risk-based process to determine the necessary\n            protections for information in ASD. In fact, many control descriptions in the\n            revised security plan are direct quotes from the control assessment.\n               \xc2\x83 Scoping and tailoring control requirements should be driven by\n                   consideration of risk to the confidentiality, integrity, and availability of the\n                   information in the system. While certification teams should consult with\n                   system owners about the adequacy of the security plan, it is the system\n                   owner\xe2\x80\x99s role to maintain the plan based on input from various managers\n                   with system responsibilities.\n\n  \xe2\x80\xa2    Revised system security plans generally addressed all required elements of the NIST\n       SP 800-53 controls for each system component. However, some control descriptions\n       need improvement. (See table 2.)\n\n\n\n\n                                              Page 4\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n\nRecommendations\n\n  1.1 NIST authorizing officials and the senior agency information security officer should\n      ensure that the scoping and tailoring of security controls and the security plan\n      descriptions of system-specific implementations are completed before entering the\n      certification phase so that control assessments have appropriate standards against\n      which controls can be measured.\n\n  1.2 NIST should rectify the deficiencies identified in table 2.\n\n\n\n\nNIST Response\n\nNIST concurred with this finding and our recommendations. NIST indicated it would ensure\nfuture initial security plans include sufficient detail. However, it took exception to the part of our\nfinding that discusses the certification team\xe2\x80\x99s involvement in writing the revised security plans.\nNIST suggested that the certification team\xe2\x80\x99s involvement was less than we depicted\xe2\x80\x94NIST said\na member only provided assistance by rewriting some parts\xe2\x80\x94and that security requirements\nwere \xe2\x80\x9cdefined, reviewed, and approved\xe2\x80\x9d by NIST managers prior to the accreditation decision.\n\nNIST indicated it had remediated or planned to remediate the deficiencies in the revised\nsecurity plans we identified in table 2.\n\nOIG Comments\n\nNIST\xe2\x80\x99s depiction of the certification team\xe2\x80\x99s involvement is different from what we learned during\nthe course of our evaluation. The ASD system security officer told us that he had prepared an\ninitial draft of the parent system plan and then \xe2\x80\x9cturned it over\xe2\x80\x9d to the certification team. The\nteam member who rewrote much of the parent plan and wrote the subsystem plans also did\nmuch of the testing for the security certification. When we met him, he told us he wrote the\nplans after the security certification. And, as we note in the finding, many of the descriptions of\ncontrols in the revised plans were direct quotes from the security control assessment.\n\nWe acknowledge what NIST told us during the evaluation\xe2\x80\x94that the writing of the plans was an\niterative process between the certification team and the system security officer and both worked\ntoward agreed-upon descriptions of controls. This aspect of our finding was merely to caution\nNIST that its approach deviated from the process described in NIST SP 800-37 and, as\ndiscussed in our finding, could result in a less-than-adequate determination of security\nrequirements.\n\n\n\n\n                                              Page 5\n\x0c                                  OIG FY 2009 FISMA Assessment\n\n\n\n2. Secure Configuration Settings Were Not Established for All IT Products\n    Background: The Department\xe2\x80\x99s IT security policy and NIST SP 800-53 require establishing\n    and assessing secure configuration settings for IT products, which include operating\n    systems for system components (such as servers, desktops, laptops, routers, and\n    switches) and applications (such as e-mail, web, VPN, firewall, intrusion detection,\n    database, and antivirus). FISMA and OMB guidance also highlight the importance of\n    secure configuration settings. Implementing and maintaining secure configuration settings\n    is one of the most effective ways of negating threats.\n\n    \xe2\x80\xa2   Secure configuration settings were established for the                       but not for\n        other significant applications in the system.\n         o\n              have standardized secure configuration checklists available. (Checklists provide\n              predefined secure configuration settings that can be used to establish system-\n              specific settings.)\n         o NIST explained that a program-level POA&M exists to address the need to\n              develop secure configuration checklists for applications. However, this POA&M\n              (#26334 in CSAM) was closed June 30, 2008, without developing any additional\n              secure configuration checklists applicable to ASD applications.\n         o To illustrate the importance of utilizing secure configuration checklists, we\n              assessed configuration settings for two of the system\xe2\x80\x99s\n                                            ) against the Defense Information Systems Agency\xe2\x80\x99s\n              (DISA)                                        security checklist.\n                \xc2\x83 We selected 24 technical settings with significant impact (DISA\xe2\x80\x99s category\n                           1\n                     1 or 2 ) from the checklist.\n                       \xe2\x80\xa2                results included 10 category 2 vulnerabilities.\n                       \xe2\x80\xa2                results included 8 category 2 vulnerabilities. (See table\n                            3.)\n                \xc2\x83 These vulnerabilities might have been resolved if a secure configuration\n                     checklist were implemented for this application. (It is also possible that\n                     remediation of some vulnerabilities may prevent the successful operation\n                     of the legacy applications, but that risk should be identified and\n                     appropriately considered according to the methodology in NIST SP 800-70,\n                     Security Configuration Checklists Program for IT Products \xe2\x80\x93 Guidance for\n                     Checklists Users and Developers.)\n\n    \xe2\x80\xa2\n                                                                  2\n        The NIST                    secure configuration checklist was not tailored for the ASD\n        system.\n         o NIST has a secure configuration checklist for            that serves as an enterprise-\n             wide standard. However, NIST told us that prior to assessment, the checklist had\n             not been tailored to the system-specific requirements of ASD.\n         o NIST\xe2\x80\x99s certification team, along with system administrators, determined the\n             appropriate settings for the sample of databases assessed. However,\n             configuration settings for other databases in the system need to be established\n\n\n1\n  DISA checklists use severity codes to denote the significance of vulnerabilities resulting from\nimproperly applied configuration settings. Category 1 vulnerabilities allow an attacker immediate\naccess into a machine, allow superuser access, or bypass a firewall. Category 2 vulnerabilities\nhelp an attacker access a machine, compromise sensitive data, or bypass a firewall.\n2\n  NIST SP 800-70, Security Configuration Checklists Program for IT Products, requires system\nowners to develop secure configuration checklists (a list of secure configuration settings) for IT\nproducts. NIST OCIO uses the term \xe2\x80\x9cguides\xe2\x80\x9d as the equivalent of checklists.\n                                              Page 6\n\x0c                              OIG FY 2009 FISMA Assessment\n\n\n          and documented. This activity, part of tailoring security control requirements, is\n          the responsibility of the system owner.\n\n\xe2\x80\xa2\t   The description, assessment, and remediation of configuration settings were\n     inappropriately assigned to security control Baseline Configuration (CM-2).\n       o\t CM-2 requires the creation of a baseline configuration that describes the makeup\n          of each component and its logical placement within the information system.\n       o\t Configuration Settings (CM-6) is the appropriate control. It requires the\n          establishment, configuration, documentation, and enforcement of configuration\n          settings to the most restrictive mode consistent with operational requirements.\n\n\xe2\x80\xa2\t   Assessments of                 configuration settings were adequate.\n      o\t Assessment results were supported by adequate evidence that was appropriately\n         referenced in summary assessment results.\n      o\t Settings were evaluated from an appropriate sample of databases.\n\n\xe2\x80\xa2\t                    configuration vulnerabilities were not adequately remediated.\n      o\t During the certification process, NIST added an action item to its POA&M (CSAM\n         #26134) to address vulnerabilities identified during the assessment of secure\n         configuration settings. The item directs that \xe2\x80\x9cstaff apply the NIST         Secure\n         Configuration Guidelines consistently among all databases by 9/30/2008.\xe2\x80\x9d This\n         POA&M item was marked completed on September 2, 2008.\n            \xc2\x83\t NIST OCIO indicated it completed the POA&M based on staff response to\n                a status request and that validation testing will be performed at a later date,\n                as part of continuous monitoring activities. However, Appendix E of the\n                Department\xe2\x80\x99s IT Security Program Policy and Minimum Implementation\n                Standards requires the ITSO to have tested the POA&M item\xe2\x80\x99s\n                implementation before categorizing the item as complete.\n      o\t We found that while NIST has remediated many of the vulnerabilities identified in \n\n         its assessment, the configuration settings were not applied consistently among \n\n         the databases we assessed. \n\n            \xc2\x83\t We assessed 86 of NIST\xe2\x80\x99s defined configuration settings for            . NIST\n                had identified 33 improperly applied settings in its own assessment. Of\n                these 33, we found that 22 were properly applied in the databases we\n                assessed. The remaining 11 improper settings NIST identified were\n                present on one or more databases included in our assessment. (See table\n                4.)\n            \xc2\x83\t We also found 3 configuration settings (listed below) that NIST had marked\n                as \xe2\x80\x9cSatisfied\xe2\x80\x9d because \xe2\x80\x9cthe database administrator changed the setting\xe2\x80\x9d to\n                the correct value, implying that the change had been made at the time of\n                the assessment. These settings were either not successfully corrected as\n                stated or the incorrect settings were reintroduced following the change.\n                  \xe2\x80\xa2\n\n\n                   \xe2\x80\xa2\n\n                   \xe2\x80\xa2\n\n            \xc2\x83\t   We also found 6 improper settings NIST did not identify in its security\n                 certification. (See table 5.)\n\n\n\n\n                                           Page 7\n\x0c                                 OIG FY 2009 FISMA Assessment\n\n\n\nRecommendations\n\n  NIST should\n\n  2.1 ensure that secure configuration settings are established, implemented, and assessed\n      for all IT products in the system accreditation boundary in accordance with NIST SP\n      800-70, Security Configuration Checklists Program for IT Products;\n\n  2.2 tailor the NIST \t    secure configuration checklist to the specific operational \n\n      requirements of ASD; \n\n\n  2.3 only close POA&M items after validation testing or examination demonstrates that the\n      planned remedial action(s) succeeded; and\n\n  2.4 create a new POA&M item to track the remediation of \t            vulnerabilities in \n\n      databases.\n\n\n\n\nNIST Response\n\nNIST indicated it concurred with this finding and our recommendations except for an item listed\nin table 5 regarding disk space available for             on a particular server. We identified\nthe remaining available space to be insufficient at 5 MB; NIST noted that the remaining space\nwas actually 5 GB, which was adequate.\n\nIn response to check # 73 of table 5, which deals with the\n\n\n\nNIST indicated that it would tailor an       secure configuration checklist for ASD and that it\nidentifies secure configuration guides for applications when they exist and customizes them for\neach situation, depending on functional requirements.\n\nOIG Comments\n\nNIST rightly pointed out our error in interpreting available disk space for the database in\nquestion and we have removed the item from table 5.\n\nWith respect to check #73, NIST\xe2\x80\x99s remarks were unresponsive to that particular issue. The\n\n\n\n\nNIST\xe2\x80\x99s explanation for how it defines secure configuration settings for applications suggests\nthat it will do so only if a secure configuration guide or checklist is available (\xe2\x80\x9cwhen they exist\xe2\x80\x9d).\nHowever, Department policy mandates that operating units develop their own secure settings\nfor IT products if necessary. The current Department IT security policy, updated March 2009,\nstates that operating units \xe2\x80\x9cshall use [NIST] SP 800-70 to develop configuration setting\nchecklists for IT products for which none are available.\xe2\x80\x9d Therefore, we reaffirm recommendation\n2.1.\n\n\n\n\n                                              Page 8\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n\n\n3. Control Assessments Produced Reliable Information for Assessing\n   Risk, but Some Minor Improvements Are Needed\n\n  \xe2\x80\xa2    System-specific control assessments were generally adequate.\n         o Assessments were performed on an adequate set of system components.\n         o Results, in general, were sufficiently supported by evidence.\n         o Procedures were adequate to assess security control requirements.\n\n  \xe2\x80\xa2    However, three control assessments were not sufficient to assess security control\n       implementations. (See table 6.)\n\n  \xe2\x80\xa2    Assessment results and analysis for some controls provided by other systems were\n       not included in certification assessments. As a result, potential risk associated with\n       these controls was not properly identified. (See table 7.)\n          o The ASD system inherits remaining vulnerabilities related to controls provided\n               by other systems.\n\nRecommendations\n\n  NIST should\n\n  3.1 reassess the controls listed in table 6 as part of continuous monitoring; and\n\n  3.2 present assessment results for controls provided by other systems, as identified in\n      table 7, to the authorizing official.\n\n\n\nNIST Response\n\nNIST indicated it concurred with this finding and our recommendations. However, NIST did not\nagree with one of the security control assessment deficiencies we identified in table 6. NIST\nindicated its secure configuration script did check settings related to\n                                                      . It acknowledged the documented\nassessment result \xe2\x80\x9cwas lacking sufficient detail\xe2\x80\x9d and should have referenced the secure\nconfiguration script. And NIST offered explanations as to why the script identified inconsistent\nsettings in its databases:\n\n\nWith respect to the     control assessment deficiency, NIST indicated that it \xe2\x80\x9cupdated the\nParent SSP,                  SSP and           SSP, control      to remediate this\ndeficiency.\xe2\x80\x9d\n\nOIG Comments\n\nSecurity control assessment involves not just obtaining the necessary data (e.g., through\nscripts) but analyzing the data to determine the actual risk involved. In this case, the\ncertification team, based on an interview and examination of requirements, concluded that this\ncontrol            was being effectively implemented in the system. At the same time, the script\ndata showed that the control was not consistently implemented in ASD databases. Therefore,\nthe assessment result was not accurate and does represent a deficiency in NIST\xe2\x80\x99s assessment\nprocess. NIST appears to partly recognize the deficiency based on its response indicating it\n\xe2\x80\x9cwill be more explicit when describing how controls are tested.\xe2\x80\x9d\n\n                                            Page 9\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nNIST was non-responsive to the          control assessment deficiency identified in table 6.\nUpdating the security plan is not a corrective action for a deficient control assessment. As the\ntable indicates, \xe2\x80\x9cThis control should be assessed where it is implemented. An examination of\nthe                      for a representative set of system components is necessary to\ndetermine if information system                        .\xe2\x80\x9d\n\n\n\n\n                                            Page 10\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\n4. OIG Assessments Found Vulnerabilities Requiring Remediation\n\n  As part of OIG\xe2\x80\x99s FY09 FISMA evaluation of ASD, we assessed a targeted set of system\n  components to determine if selected security controls are properly implemented. We\n  tailored our procedures to the specific control implementations of ASD.\n\n  \xe2\x80\xa2    OIG assessments identified several vulnerabilities that need to be addressed. (See\n       table 8 for details.) These vulnerabilities include the following:\n\n\n\n\nRecommendation\n\n   4.1 NIST should ensure the vulnerabilities identified in table 8 are added to the system\xe2\x80\x99s\n       POA&M and remediated during continuous monitoring.\n\n\n\n NIST Response\n\n NIST concurred with this finding and recommendation.\n\n\n\n\n                                            Page 11\n\x0c                                                      OIG FY 2009 FISMA Assessment\n\n\n\nTable 1. Deficiencies in Initial Security Plan\nDeficiency                                                           Controls\nControls not accurately or completely described\n\n\n\n\nControls for       application not described\n\n\n\n\nCommon and hybrid controls not correctly identified\n\n\n\n\n                                                                Page 12\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Deficiencies in Revised Security Plan\n\n\n\n\n                                                                            .\n\n\n\n\n                                                           Page 13\n\n\x0c                                                      OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Deficiencies in Revised Security Plan\nControl                  Security Plan Description (excerpts)         OIG Comments\n\n\n\n\n                                                                Page 14\n\x0c                                                      OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Deficiencies in Revised Security Plan\nControl                  Security Plan Description (excerpts)         OIG Comments\n\n\n\n\n                                                                Page 15\n\x0c                                                      OIG FY 2009 FISMA Assessment\n\n\n\nTable 2. Deficiencies in Revised Security Plan\nControl                  Security Plan Description (excerpts)         OIG Comments\n\n\n\n\n                                                                Page 16\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 3                     Vulnerabilities\nDISA            DISA Required Setting         OIG Assessment Results            OIG Comments\nVulnerability\nKey\n\n\n\n\n                                                           Page 17\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 3.                    Vulnerabilities\nDISA            DISA Required Setting         OIG Assessment Results            OIG Comments\nVulnerability\nKey\n\n\n\n\n                                                           Page 18\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 3.                    Vulnerabilities\nDISA            DISA Required Setting         OIG Assessment Results            OIG Comments\nVulnerability\nKey\n\n\n\n\n                                                           Page 19\n\x0c                                              OIG FY 2009 FISMA Assessment\n\n\n\n\nTable 4: Persistent Improper Settings in\nChecklist NIST Requirement (Full Quotation)                                  OIG Assessment Results\nCheck #\n\n\n\n\n                                                        Page 20\n\x0c                                              OIG FY 2009 FISMA Assessment\n\n\n\nTable 4: Persistent Improper Settings in\nChecklist NIST Requirement (Full Quotation)                                  OIG Assessment Results\nCheck #\n\n\n\n\n                                                        Page 21\n\x0c                                              OIG FY 2009 FISMA Assessment\n\n\n\nTable 5. Additional Improper Settings in\nChecklist NIST Requirement (Full Quotation)                                  OIG Assessment Results\n Check #\n\n\n\n\n                                                        Page 22\n\x0c                                              OIG FY 2009 FISMA Assessment\n\n\n\nTable 5. Additional Improper Settings in\nChecklist NIST Requirement (Full Quotation)                                  OIG Assessment Results\n Check #\n\n\n\n\n                                                        Page 23\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 6. NIST Security Control Assessment Deficiencies\nControl         NIST Assessment NIST Assessment Results (Full Quotation)        OIG Comments\n                Procedure (Full\n                Quotation)\n\n\n\n\n                                                           Page 24\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 6. NIST Security Control Assessment Deficiencies\nControl         NIST Assessment NIST Assessment Results (Full Quotation)        OIG Comments\n                Procedure (Full\n                Quotation)\n\n\n\n\n                                                           Page 25\n\x0c                                                 OIG FY 2009 FISMA Assessment\n\n\n\nTable 6. NIST Security Control Assessment Deficiencies\nControl         NIST Assessment NIST Assessment Results (Full Quotation)        OIG Comments\n                Procedure (Full\n                Quotation)\n\n\n\n\n                                                           Page 26\n\x0c                                                   OIG FY 2009 FISMA Assessment\n\n\n\nTable 7. Controls Lacking Results and Supporting Evidence of Assessments for Other Systems\nControl Number               ASD Applications Inheriting     NIST System(s) Implementing the Control\n                             Controls\n\n\n\n\n                                                             Page 27\n\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 8. Vulnerabilities Identified by OIG Assessment of Selected Security Controls\n   Control                Vulnerability           System                              OIG Assessment Details\n                                                 Component\n\n\n\n\n                                                                Page 28\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 8. Vulnerabilities Identified by OIG Assessment of Selected Security Controls\n   Control                Vulnerability           System                              OIG Assessment Details\n                                                 Component\n\n\n\n\n                                                                Page 29\n\x0c                                                     OIG FY 2009 FISMA Assessment\n\n\n\nTable 8. Vulnerabilities Identified by OIG Assessment of Selected Security Controls\n   Control                Vulnerability           System                              OIG Assessment Details\n                                                 Component\n\n\n\n\n                                                                Page 30\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nTo meet the FY 2009 FISMA reporting requirements, we evaluated the NIST certification and\naccreditation for the Application Systems and Databases system (NIST 183-06).\nSecurity certification and accreditation packages contain three elements, which form the basis\nof an authorizing official\xe2\x80\x99s decision to accredit a system.\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for security\n        controls, and the details of how the requirements are being met. The security plan\n        provides a basis for assessing security controls and also includes other documents\n        such as the system risk assessment and contingency plan, per Department policy.\n    \xe2\x80\xa2   The security assessment report presents the results of the security assessment\n        and recommendations for correcting control deficiencies or mitigating identified\n        vulnerabilities. This report is prepared by the certification agent.\n    \xe2\x80\xa2   The plan of action & milestones is based on the results of the security assessment.\n        It documents actions taken or planned to address remaining vulnerabilities in the\n        system.\n\nCommerce\xe2\x80\x99s IT Security Program Policy and Minimum Implementation Standards requires\nthat C&A packages contain a certification documentation package of supporting evidence of\nthe adequacy of the security assessment. Two important components of this documentation\nare:\n\n    \xe2\x80\xa2   The certification test plan, which documents the scope and procedures for testing\n        (assessing) the system\xe2\x80\x99s ability to meet control requirements.\n    \xe2\x80\xa2   The certification test results, which is the raw data collected during the\n        assessment.\n\nTo evaluate the certification and accreditation, we reviewed all components of the C&A\npackage and interviewed NIST staff to clarify any apparent omissions or discrepancies in the\ndocumentation and gain further insight on the extent of the security assessment. We\nevaluated the assessment results for a targeted set of security controls and will give\nsubstantial weight to the evidence that supports the rigor of the security assessment when\nreporting our findings to OMB. (See appendix B for the controls we evaluated.) To evaluate\nthe system security plans, we reviewed all required security controls to determine whether\nand to what extent the certification team\xe2\x80\x99s role in developing the plans had any significant\nnegative effects. In our initial review, we found that assessment results for some controls\nimplemented by other systems had not been properly documented. In this regard we\nexpanded our scope by looking at all required controls to identify those that were provided by\nother systems and whether they had been assessed and included in the C&A package.\n\nIn addition, we performed our own assessments of the same control set we used to evaluate\nNIST\xe2\x80\x99s control assessments (appendix B), with the exception of control PL-5 Privacy Impact\nAssessment. We conducted our assessment using a subset of procedures from NIST SP\n800-53A, which we tailored to ASD\xe2\x80\x99s specific control implementations. We did not attempt to\nperform a complete assessment of each control; instead we chose to focus on specific\ntechnical and operational elements.\n\nWe assessed controls on key classes of IT components (in this system, applications),\nchoosing a targeted set of components from each class that would allow for direct\ncomparison with NIST\xe2\x80\x99s certification test results. We assessed control implementations on the\nseven                     , and controls for the\n                                                    . In addition, we examined the security plan\ndescriptions, including related policy documents, and interviewed appropriate NIST\n\n                                            Page 31\n\x0c                                OIG FY 2009 FISMA Assessment\n\n\npersonnel.\n\nOur assessments included the following activities:\n\n    \xe2\x80\xa2\t   Extraction, examination, and verification of system configurations\n    \xe2\x80\xa2\t   Generation of system events and examination of system logs\n    \xe2\x80\xa2\t   Execution of NIST-developed scripts and DISA checklists\n    \xe2\x80\xa2\t   Addition, modification, and deletion of accounts\n\nOur assessment was limited in scope and should not be interpreted as the comprehensive\nreview that a security certification for a             system would require. However, our\nassessments gave us direct assurance of the status of select aspects of important system\ncontrols and provided meaningful comparison to NIST\xe2\x80\x99s security certification.\n\nWe used the following review criteria:\n   \xe2\x80\xa2\t Federal Information Security Management Act of 2002 (FISMA)\n   \xe2\x80\xa2\t U.S. Department of Commerce IT Security Program Policy and Minimum \n\n      Implementation Standards, June 30, 2005 \n\n   \xe2\x80\xa2\t NIST\xe2\x80\x99s Federal Information Processing Standards (FIPS)\n           o\t Publication 199, Standards for Security Categorization of Federal Information\n                and Information Systems\n           o\t Publication 200, Minimum Security Requirements for Federal Information and\n                Information Systems\n   \xe2\x80\xa2\t NIST Special Publications:\n           o\t 800-18, Guide for Developing Security Plans for Information Technology\n                Systems\n           o\t 800-37, Guide for the Security Certification and Accreditation of Federal\n                Information Systems\n           o\t 800-53, Recommended Security Controls for Federal Information Systems\n           o\t 800-53A Guide for Assessing the Security Controls in Federal Information\n                Systems\n           o\t 800-70, Security Configuration Checklists Program for IT Products\n           o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978, as\namended, and the Quality Standards for Inspections (rev. January 2005) issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency.\n\n\n\n\n                                            Page 32\n\x0c                            OIG FY 2009 FISMA Assessment\n\n\n\nAppendix B: NIST SP 800-53 Security Controls Evaluated During OIG\nReview of ASD\n\n  \xe2\x80\xa2   Account Management (AC-2)\n  \xe2\x80\xa2   Separation of Duties (AC-5)\n  \xe2\x80\xa2   Unsuccessful Login Attempts (AC-7)\n  \xe2\x80\xa2   Auditable Events (AU-2)\n  \xe2\x80\xa2   Audit Storage Capacity (AU-4)\n  \xe2\x80\xa2   Response to Audit Processing Failures (AU-5)\n  \xe2\x80\xa2   Audit Monitoring, Analysis and Reporting (AU-6)\n  \xe2\x80\xa2   Time Stamps (AU-8)\n  \xe2\x80\xa2   Protection of Audit Information (AU-9)\n  \xe2\x80\xa2   Configuration Settings (CM-6)\n  \xe2\x80\xa2   Information System Backup (CP-9)\n  \xe2\x80\xa2   User Identification and Authentication (IA-2)\n  \xe2\x80\xa2   Authenticator Management          (IA-5)\n  \xe2\x80\xa2   Privacy Impact Assessment (PL-5)\n  \xe2\x80\xa2   Vulnerability Scanning (RA-5)\n  \xe2\x80\xa2   Flaw Remediation (SI-2)\n\n\n\n\n                                        Page 33\n\x0c                                                    UNITED STATES DEPARTMENT OF COMMERCE\n\n                                                    National Institute of Standards and Tschnology\n\n                                                    Gaithersburg. Maryland 20899-OXJ1\n                                                    OFFICE OF THE DIRECTOR\n\n\n\nJUL 10 2009\n\n\nMEMORANDUM FOR Allen Crawley\n               Assistant Inspector General for\n                  Systems Acquisition and IT Security\n\nFrom:         Patrick Gallagher\n              Deputy Director\n                                    ~\'c:.;l:.A. ~~L\nSubject:      NIST Comments in R sponse to Draft nspection Report No. OSE-19512 Entitled\n              "FY 2009 FISMA Assessment Application Systems and Databases" (NIST 183\xc2\xad\n              06), Draft Inspection Report No. OSE-19512\n\nI would like to thank you for the opportunity to comment on your Draft Inspection Report No.\nOSE-19512, entitled "FY 2009 FISMA Assessment Application Systems and Databases" (NIST\n183-06). In addition, I would like to compliment you on the thoroughness of your review.\n\nNIST concurs with the majority of recommendations made in your draft report, and I assure you\nwe will take all steps necessary to implement your recommendations. In the few cases where\nNIST does not fully concur with your recommendations, we have suggested that the language of\nthe recommendation be changed, or we note that the recommendation is no longer appropriate\ndue to changes in systems administration or configuration. NIST comments on the draft\ninspection report are found in the attachment to this letter.\n\nAgain, I would like to thank you for the opportunity to comment on this draft report, and assure\nyou that NIST will implement your recommendations as soon a possible. If you have any\nquestions concerning this response, please contact Stephen Willett on (301) 975-8707. Your\nefforts to improve NIST systems security are greatly appreciated.\n\nAttachment\n\n\n\n\n                                                                                        NISr\n\n\x0c1.\xc2\xa0Revised System Security Plan Was Generally Adequate, but Security Planning Process Needs Improvement\n\nRecommendations\nNIST\xc2\xa0should\xc2\xa0ensure\xc2\xa0that\xc2\xa0\n\n1.1 the security control descriptions in the SSP are accurate and complete; and\n1.2 waivers or special authorizations are obtained and documented in accordance with Department policy.\n\nNIST Response\n        NIST concurs with these findings and these recommendations, with the exception of deviations documented in red in this\n        section (Page 2). See below for detailed responses.\n\n                                OIG\xc2\xa0Documented\xc2\xa0Deficiency\xc2\xa0\n                                                                                              Remediation Plan / Justification\xc2\xa0\n                              The initial security plan did not include major software        NIST\xc2\xa0will\xc2\xa0ensure\xc2\xa0that\xc2\xa0future\xc2\xa0initial\xc2\xa0SSPs\xc2\xa0will\xc2\xa0provide\xc2\xa0sufficient\xc2\xa0\n                              components:                                                     detail\xc2\xa0before\xc2\xa0continuing\xc2\xa0with\xc2\xa0the\xc2\xa0C&A\xc2\xa0process.\xc2\xa0\xc2\xa0These\xc2\xa0\n                                                                                              deficiencies\xc2\xa0were\xc2\xa0fixed\xc2\xa0in\xc2\xa0the\xc2\xa0final\xc2\xa0SSP\xc2\xa0submission.\xc2\xa0\n                              No control enhancements required for the system were\n                              described.\nThe initial system security   Several controls were not accurately or completely described.\nplan did not fully address    See Table 1.\ncontrols for the parent       Several controls for an application          were not\nsystem and omitted            described.\nsubsystems altogether.        Common and hybrid controls were not correctly identified.\n                              A hardware server was removed from the accreditation\n                              boundary sometime during the security certification (system\n                              now consists of software only). NIST SP 800-37, Guide for\n                              the Security Certification and Accreditation of Federal\n                              Information Systems, calls for accreditation boundaries to be\n                              established before the certification phase begins.\n\n\n\n\n1\xc2\xa0\n\n\xc2\xa0\n\x0c                               NIST told us that the system security officer and other              NIST\xc2\xa0does\xc2\xa0not\xc2\xa0concur\xc2\xa0with\xc2\xa0this\xc2\xa0finding.\xc2\xa0\xc2\xa0While\xc2\xa0the\xc2\xa0NIST\xc2\xa0\n                               administrators participated in the development of the final\n                                                                                                    certification\xc2\xa0team\xc2\xa0member\xc2\xa0provided\xc2\xa0assistance\xc2\xa0by\xc2\xa0rewriting\xc2\xa0\n                               plans. However, the certification team\xe2\x80\x99s authorship of the\n                               security plans raises the possibility that security control          some\xc2\xa0parts\xc2\xa0of\xc2\xa0the\xc2\xa0security\xc2\xa0documentation,\xc2\xa0the\xc2\xa0requirements,\xc2\xa0\nAlong with assessing           requirements were solely based on security settings and              were\xc2\xa0defined,\xc2\xa0reviewed\xc2\xa0and\xc2\xa0approved\xc2\xa0by\xc2\xa0the\xc2\xa0SSO\xc2\xa0and\xc2\xa0System\xc2\xa0\ncontrols, NIST certification   implementations discovered during control assessments\n                                                                                                    Owner\xc2\xa0(SO),\xc2\xa0prior\xc2\xa0to\xc2\xa0the\xc2\xa0presentation\xc2\xa0of\xc2\xa0the\xc2\xa0package\xc2\xa0to\xc2\xa0the\xc2\xa0\nteam members rewrote           rather than a risk-based process to determine the necessary\nthe parent security plan       protections for information in ASD. In fact, many control            Authorizing\xc2\xa0Official\xc2\xa0(AO)\xc2\xa0for\xc2\xa0the\xc2\xa0final\xc2\xa0accreditation\xc2\xa0decision.\xc2\xa0\xc2\xa0\xc2\xa0\nand created new                descriptions in the revised security plan are direct quotes from\nsubsystem security plans       the control assessment.\nthat served as the basis       Scoping and tailoring control requirements should be driven\nfor the accreditation          by consideration of risk to the confidentiality, integrity, and\ndecision.                      availability of the information in the system. While certification\n                               teams should consult with system owners about the adequacy\n                               of the security plan, it is the system owner\xe2\x80\x99s role to maintain\n                               the plan based on input from various managers with system\n                               responsibilities.\nRevised system security                                                                             See\xc2\xa0Table\xc2\xa02,\xc2\xa0Pages\xc2\xa010\xc2\xa0through\xc2\xa013.\xc2\xa0\nplans generally addressed\nall required elements of\nthe NIST SP 800-53\ncontrols for each system\ncomponent. However,\nsome control descriptions\nneed improvement. (See\ntable 2.)\n\xc2\xa0\n\n\xc2\xa0                                 \xc2\xa0\n\n\n\n\n2\xc2\xa0\n\n\xc2\xa0\n\x0c2. Secure Configuration Settings Were Not Established for All IT Products\n\nRecommendations\nNIST\xc2\xa0should\xc2\xa0ensure\xc2\xa0that\xc2\xa0\n\n2.1 ensure that secure configuration settings are established, implemented, and assessed for all IT products in the system accreditation boundary in\n     \t\n\n\n\n\n    accordance with NIST SP 800-70, Security Configuration Checklists Program for IT Products;\n2.2 tailor the NIST       secure configuration checklist to the specific operational\n     \t\n\n\n\n\n    requirements of ASD;\n2.3 only close POA&M items after validation testing or examination demonstrates that the planned remedial action(s) succeeded; and\n     \t \t\n\n\n\n\n2.4 create a new POA&M item to track the remediation of           vulnerabilities in the databases\n\nNIST Response\n           NIST concurs with these findings and these recommendations, with the exception of deviations documented in red in Table 5,\n           Page 20. See below for detailed responses.\n\n                                   OIG\xc2\xa0Documented\xc2\xa0Deficiency\xc2\xa0\n                                                                                                        Remediation Plan / Justification\n                                                                                                        See\xc2\xa0Tables\xc2\xa03\xc2\xa0through\xc2\xa05,\xc2\xa0Pages\xc2\xa014\xc2\xa0through\xc2\xa021.\xc2\xa0\n                                                 have standardized secure configuration checklists\n                              available. (Checklists provide predefined secure configuration\n                              settings that can be used to establish system specific settings.)\n                              NIST explained that a program-level POA&M exists to address the           NIST\xc2\xa0will\xc2\xa0ensure\xc2\xa0that\xc2\xa0future\xc2\xa0program\xe2\x80\x90level\xc2\xa0POA&Ms\xc2\xa0that\xc2\xa0\n                              need to develop secure configuration checklists for applications.         have\xc2\xa0such\xc2\xa0a\xc2\xa0broad\xc2\xa0scope\xc2\xa0are\xc2\xa0fully\xc2\xa0reviewed\xc2\xa0for\xc2\xa0\n                              However, this POA&M (#26334 in CSAM) was closed June 30,\nSecure configuration                                                                                    completeness\xc2\xa0before\xc2\xa0being\xc2\xa0marked\xc2\xa0as\xc2\xa0complete.\xc2\xa0\xc2\xa0\xc2\xa0\n                              2008, without developing any additional secure configuration\nsettings were established\nfor the                       checklists applicable to ASD applications.\nbut not for other             To illustrate the importance of utilizing secure configuration            See\xc2\xa0Table\xc2\xa03,\xc2\xa0Pages\xc2\xa014\xc2\xa0through\xc2\xa016.\xc2\xa0\nsignificant applications in   checklists we assessed configuration settings for two of the\nthe system.                   system\xe2\x80\x99s\t                                                       against\n                              the Defense Information Systems Agency\xe2\x80\x99s (DISA)\n                                                 security checklist. We selected 24 technical\n                              settings with significant impact (DISA\xe2\x80\x99s category\n                              1 or 21) from the checklist.\n                                   \xe2\x80\xa2                results included 10 category 2 vulnerabilities.\n                                   \xe2\x80\xa2\t               results included 8 category 2 vulnerabilities.\n                                       (See table 3).\n\n\n\n3\xc2\xa0\n\n\xc2\xa0\n\x0c                           These vulnerabilities might have been resolved if a secure                       See\xc2\xa0Tables\xc2\xa03\xc2\xa0through\xc2\xa05,\xc2\xa0Pages\xc2\xa014\xc2\xa0through\xc2\xa021.\xc2\xa0\n                           configuration checklist were implemented for this application. (It is\n\n\n\n\n                                                                                                     \n \n\n                           also possible that remediation of some vulnerabilities may prevent\n                           the successful operation of the legacy applications, but that risk\n\n\n\n\n                                                                                               \n\n                           should be identified and appropriately considered according to the\n\n\n\n\n                                                                                                     \n \n\n                           methodology in NIST SP 800-70, Security Configuration Checklists\n                           Program for IT Products \xe2\x80\x93 Guidance for Checklists Users and\n\n\n\n\n                                                                                               \n\n                           Developers.)\n\n                           NIST has a secure configuration checklist for        that serves as\n             A\xc2\xa0POA&M\xc2\xa0(CSAM\xc2\xa0POA&M\xc2\xa034348)\xc2\xa0has\xc2\xa0been\xc2\xa0created\xc2\xa0to\xc2\xa0\n                           an enterprisewide standard. However, NIST told us that prior to\n                                                                                                            document\xc2\xa0and\xc2\xa0implement\xc2\xa0a\xc2\xa0tailored\xc2\xa0secure\xc2\xa0\n                           assessment, the checklist had not been tailored to the system-\nThe NIST                   specific requirements of ASD.                                                    configuration\xc2\xa0guide\xc2\xa0for\xc2\xa0       .\xc2\xa0\xc2\xa0NIST\xc2\xa0identifies\xc2\xa0secure\xc2\xa0\n          secure\nconfiguration checklist2   NIST\xe2\x80\x99s certification team, along with system administrators,\n                                                                                                            configuration\xc2\xa0guides\xc2\xa0for\xc2\xa0applications\xc2\xa0when\xc2\xa0they\xc2\xa0exist\xc2\xa0\nwas not tailored for the   determined the appropriate settings for the sample of databases                  and\xc2\xa0customize\xc2\xa0them\xc2\xa0for\xc2\xa0each\xc2\xa0situation,\xc2\xa0depending\xc2\xa0on\xc2\xa0\nASD                        assessed. However, configuration settings for other databases in                 functional\xc2\xa0requirements.\xc2\xa0\xc2\xa0\nsystem.                    the system need to be established and documented. This activity,\n                           part of tailoring security control requirements, is the responsibility of\n                                                                                                            \xc2\xa0\n                           the system owner.\nThe description,           CM-2 requires the creation of a baseline configuration that                      See\xc2\xa0Table\xc2\xa02,\xc2\xa0CM\xe2\x80\x902\xc2\xa0row,\xc2\xa0Page\xc2\xa011.\xc2\xa0\nassessment, and            describes the makeup of each component and its logical placement\nremediation of             within the information system.\nconfiguration settings\n                           Configuration Settings (CM-6) is the appropriate control. It requires\nwere inappropriately\n                           the establishment, configuration, documentation, and enforcement\nassigned to security\n\n\n\n\n                                                                                                     \n\n                           of configuration settings to the most restrictive mode consistent with\n\ncontrol Baseline\n                           operational requirements.\nConfiguration (CM-2).\n                                                      \n\n\n\n\n\n                           During the certification process, NIST added an action item to its               In\xc2\xa0the\xc2\xa0future,\xc2\xa0sufficient\xc2\xa0evidence\xc2\xa0will\xc2\xa0be\xc2\xa0collected\xc2\xa0before\xc2\xa0\n                           POA&M (CSAM #26134) to address vulnerabilities identified during\n                                                                                                            marking\xc2\xa0a\xc2\xa0POA&M\xc2\xa0as\xc2\xa0complete.\xc2\xa0\xc2\xa0\n                           the assessment of secure configuration settings. The item directs\n\n\n\n\n                                                                                                  \n \n\n                           that \xe2\x80\x9cstaff apply the NIST        Secure Configuration Guidelines\n                           consistently among all databases by 9/30/2008.\xe2\x80\x9d This POA&M item\n\n\n\n\n                                                                                                      \n\n                           was marked completed on September 2, 2008. NIST OCIO\n\nconfiguration\n                           indicated it completed the POA&M based on staff response to a\nvulnerabilities were not\n                           status request and that validation testing will be performed at a later\nadequately remediated.\n                           date, as part of continuous monitoring activities. However, Appendix\n                           E of the Department\xe2\x80\x99s IT Security Program Policy and Minimum                 \n\n                                                                                               \n \n\n\n                           Implementation Standards requires the ITSO to have tested the\n                           POA&M item\xe2\x80\x99s implementation before categorizing the item as\n                                                                                              \n\n\n\n\n\n                           complete.\n                                     \n\n\n\n\n\n4\xc2\xa0\n\n\xc2\xa0\n\x0c     We assessed 86 of NIST\xe2\x80\x99s defined configuration settings for            See\xc2\xa0Table\xc2\xa04,\xc2\xa0Pages\xc2\xa017\xc2\xa0through\xc2\xa019.\xc2\xa0\n     NIST had identified 33 improperly applied settings in its own\n     assessment. Of these 33, we found that 22 were properly applied in\n     the databases we assessed. The remaining 11 improper settings\n     NIST identified were present on one or more databases included in\n     our assessment. (See table4.)\n                                                                            Two\xc2\xa0issues\xc2\xa0were\xc2\xa0identified\xc2\xa0that\xc2\xa0resulted\xc2\xa0in\xc2\xa0inconsistent\xc2\xa0\n                                                                            configuration\xc2\xa0settings.\xc2\xa0\n\n                                                                                1.                                                   \xc2\xa0\n                                                                                                                                                         \xc2\xa0\n     We also found 3 configuration settings (listed below) that NIST had\n                                                                                                                                 \xc2\xa0\n     marked as \xe2\x80\x9cSatisfied\xe2\x80\x9d because \xe2\x80\x9cthe database administrator changed                                                                                   \xc2\xa0\xc2\xa0\n     the setting\xe2\x80\x9d to the correct value, implying that the change had been                                                                        \xc2\xa0\n     made at the time of the assessment. These settings were either not\n     successfully corrected as stated or the incorrect settings were                                                                     \xc2\xa0\n     reintroduced following the change.                                                                                                                       \xc2\xa0\n         \xe2\x80\xa2\n                                                                                                                                                                  \xc2\xa0\n                                                                                                                                             \xc2\xa0\n            \xe2\x80\xa2\n                                                                                                                                 \xc2\xa0\n            \xe2\x80\xa2                                                                                                                                                 \xc2\xa0\n                                                                                                                                     \xc2\xa0\n                                                                                                                                                              \xc2\xa0\n                                                                                                                                                     \xc2\xa0\n                                                                                                                             \xc2\xa0\n                                                                                                                       \xc2\xa0\xc2\xa0\xc2\xa0\n\n     We also found 6 improper settings NIST did not identify in its         See\xc2\xa0Table\xc2\xa05,\xc2\xa0Pages\xc2\xa020\xc2\xa0through\xc2\xa021.\xc2\xa0\n     security certification. (See table 5.)\n\xc2\xa0       \xc2\xa0\n\n\n\n\n5\xc2\xa0\n\n\xc2\xa0\n\x0c3. Control Assessments Produced Reliable Information for Assessing Risk, but Some Minor Improvements Are Needed\n\nRecommendations\nNIST\xc2\xa0should\xc2\xa0ensure\xc2\xa0that\xc2\xa0assessments\xc2\xa0\n\n3.1 reassess the controls listed in table 6 as part of continuous monitoring; and\n3.2\xc2\xa0present assessment results for controls provided by other systems, as identified in table 7, to the authorizing official.\n\nNIST Response\n        NIST concurs with these findings and these recommendations, with the exception of deviations documented in red in Table 6,\n        Page 22. See below for detailed responses.\n\n\n                                                                                                                  Remediation Plan / Justification\xc2\xa0\n                            OIG Documented Deficiency\n                                                                                                     See\xc2\xa0Table\xc2\xa06,\xc2\xa0Pages\xc2\xa022\xc2\xa0through\xc2\xa025.\xc2\xa0\nThree control assessments were not\nsufficient to assess security control\nimplementations. (See table 6.)\n\nAssessment results and analysis for some                                                             See\xc2\xa0Table\xc2\xa07,\xc2\xa0Page\xc2\xa026.\xc2\xa0\ncontrols provided by other systems were not\n                                                  The ASD system inherits remaining\nincluded in certification assessments. As a\n                                                  vulnerabilities related to controls provided by\nresult, potential risk associated with these\n                                                  other systems.\ncontrols was not properly identified. (See\ntable 7.).\n\xc2\xa0\n\n\xc2\xa0                                 \xc2\xa0\n\n\n\n\n6\xc2\xa0\n\n\xc2\xa0\n\x0c4. OIG Assessments Found Vulnerabilities Requiring Remediation\n\nRecommendations\nNIST\xc2\xa0should\xc2\xa0\n\n4.1\xc2\xa0\xc2\xa0NIST should ensure the vulnerabilities identified in table 8 are added to the system\xe2\x80\x99s\nPOA&M and remediated during continuous monitoring.\n\nNIST Response\n        NIST concurs with these findings and these recommendations. See below for detailed responses.\n\n                                                                                                     Remediation Plan / Justification\xc2\xa0\n                   OIG Documented Deficiency\n                                                                                 See\xc2\xa0Table\xc2\xa08,\xc2\xa0Pages\xc2\xa027\xc2\xa0through\xc2\xa029.\xc2\xa0\n\n\n\n\nOIG assessments identified\nseveral vulnerabilities that\nneed to be addressed. (See\ntable 8 for details.) These\nvulnerabilities include the\nfollowing:\n\n\n\n\n\xc2\xa0\n\n\n\n\n7\xc2\xa0\n\n\xc2\xa0\n\x0c                                                      Appendix:\xc2\xa0Tables\n\xc2\xa0\nTable 1. Deficiencies in Initial Security Plan\xc2\xa0\nDeficiency\xc2\xa0                           Controls\xc2\xa0            Remediation\xc2\xa0Plan/Justification\xc2\xa0\nControls not accurately or                                 NIST\xc2\xa0will\xc2\xa0ensure\xc2\xa0that\xc2\xa0future\xc2\xa0initial\xc2\xa0SSPs\xc2\xa0will\xc2\xa0provide\xc2\xa0sufficient\xc2\xa0detail\xc2\xa0before\xc2\xa0\ncompletely described\xc2\xa0                                      continuing\xc2\xa0with\xc2\xa0the\xc2\xa0Certification\xc2\xa0and\xc2\xa0Accreditation\xc2\xa0(C&A)\xc2\xa0process.\xc2\xa0\xc2\xa0These\xc2\xa0\n                                                           deficiencies\xc2\xa0were\xc2\xa0fixed\xc2\xa0in\xc2\xa0the\xc2\xa0final\xc2\xa0SSP\xc2\xa0submission.\xc2\xa0\n\n\nControls for        application\nnot described\n\n\n\n\nCommon and hybrid controls not\ncorrectly identified\n\n\n\n\n                                                  \xc2\xa0\n\xc2\xa0                                 \xc2\xa0\n\n8\xc2\xa0\n\n\xc2\xa0\n\x0cTable 2. Deficiencies in Revised Security Plan\n\nControl\xc2\xa0   Security Plan Description (excerpts)\xc2\xa0   OIG Comments   Remediation\xc2\xa0Plan/\xc2\xa0Justification\xc2\xa0\n\n                                                                                                                       \xc2\xa0\n                                                                                                                        \xc2\xa0\n                                                                                                             \xc2\xa0\xc2\xa0\xc2\xa0\n\n                                                                                                         \xc2\xa0\n\n                                                                                                                            \xc2\xa0\n                                                                                                                   \xc2\xa0\n                                                                                  \xc2\xa0\n\n                                                                                                                            \xc2\xa0\n                                                                                                 \xc2\xa0\n\n                                                                  \xc2\xa0\n\n\n\n                                                                                                         \xc2\xa0\n                                                                                            \xc2\xa0\n\n\n\n\n                                                                                                                            \xc2\xa0\n                                                                                                     \xc2\xa0\n                                                                            \xc2\xa0\xc2\xa0\xc2\xa0\n\n                                                                                                                        \xc2\xa0\n                                                                                      \xc2\xa0\xc2\xa0\xc2\xa0\n\n\n\n9\xc2\xa0\n\n\xc2\xa0\n\x0c               \xc2\xa0\n          \xc2\xa0\xc2\xa0\n\n      \xc2\xa0\n\n\n\n\n                   \xc2\xa0\n          \xc2\xa0\n\n\n\n\n10\xc2\xa0\n\n\xc2\xa0\n\x0c                  \xc2\xa0\n\xc2\xa0             \xc2\xa0\n\n\n\n\n                      \xc2\xa0\n\xc2\xa0         \xc2\xa0\n\n\n\n\n      \xc2\xa0\n\n\n\n\n11\xc2\xa0\n\n\xc2\xa0\n\x0c              \xc2\xa0\n\xc2\xa0         \xc2\xa0\n\n\n\n\n\xc2\xa0\n\n\xc2\xa0     \xc2\xa0\n\n\n\n\n12\xc2\xa0\n\n\xc2\xa0\n\x0cTable 3                      Vulnerabilities\xc2\xa0\n\nDISA\xc2\xa0Vuln\xc2\xa0Key\xc2\xa0   DISA\xc2\xa0Required\xc2\xa0Setting\xc2\xa0    OIG\xc2\xa0Assessment\xc2\xa0Results\xc2\xa0   OIG\xc2\xa0Comments\xc2\xa0           Remediation\xc2\xa0Plan\xc2\xa0/\xc2\xa0Justification\xc2\xa0\n\n          \xc2\xa0                                                                                                                                \xc2\xa0\n                                                    \xc2\xa0                                                                                            \xc2\xa0\n                                                                                                                                       \xc2\xa0\n                                                                                                                                               \xc2\xa0\xc2\xa0\xc2\xa0\n                                                                                                                                                  \xc2\xa0\n                                                                                                                                                 \xc2\xa0\n          \xc2\xa0                                                                                                                      \xc2\xa0\xc2\xa0\xc2\xa0\n                                   \xc2\xa0            \xc2\xa0\n\n\n\n\n          \xc2\xa0\n\n                     \xc2\xa0\n\n\n\n\n                                                                                     \xc2\xa0\n\n          \xc2\xa0\n\n\n\n\n                                                                                         \xc2\xa0\n\n\n13\xc2\xa0\n\n\xc2\xa0\n\x0c      \xc2\xa0\n\n\n\n              \xc2\xa0\n\n\n\n\n                  \xc2\xa0\n\n      \xc2\xa0\n\n\n\n\n                      \xc2\xa0\n\n\n      \xc2\xa0\n\n\n\n          \xc2\xa0\n\n\n\n\n14\xc2\xa0\n\n\xc2\xa0\n\x0c      \xc2\xa0\n\n\n                                  \xc2\xa0\n\n                      \xc2\xa0\n\n                                      \xc2\xa0\n\n      \xc2\xa0\n\n\n\n\n          \xc2\xa0\n\n\n\n\n                              \xc2\xa0\n\n      \xc2\xa0\n                  \xc2\xa0\n\n\n\n                          \xc2\xa0\n\n\n\xc2\xa0\n\n\xc2\xa0             \xc2\xa0\n\n\n\n\n15\xc2\xa0\n\n\xc2\xa0\n\x0cTable 4: Persistent Improper Settings in\n\nChecklist\xc2\xa0 NIST Requirement (Full Quotation)\xc2\xa0   OIG Assessment Results       Remediation\xc2\xa0Plan\xc2\xa0/\xc2\xa0Justification\xc2\xa0\nCheck\xc2\xa0#\xc2\xa0\n\n    \xc2\xa0                                                                                                                    \xc2\xa0\n                                                                                                                                         \xc2\xa0\n                                                                                                                             \xc2\xa0\n                                                                                                                                     \xc2\xa0\n                                                                                                                 \xc2\xa0\n\n        \xc2\xa0                                                                                                                        \xc2\xa0\n                                                                                               \xc2\xa0\n                                                                  \xc2\xa0\n\n        \xc2\xa0\n                                                            \xc2\xa0\n\n        \xc2\xa0\n                                                                         \xc2\xa0\n\n        \xc2\xa0\n                                                                 \xc2\xa0\n\n        \xc2\xa0                                                                                                            \xc2\xa0\n                                                                                                                                 \xc2\xa0\n\n\n\n\n        \xc2\xa0                                                                                                                        \xc2\xa0\n\n\n16\xc2\xa0\n\n\xc2\xa0\n\x0c            \xc2\xa0\n\n\n\n\n    \xc2\xa0                \xc2\xa0\n            \xc2\xa0\n\n\n\n\n    \xc2\xa0           \xc2\xa0\n                         \xc2\xa0\n\n\n\n\n        \xc2\xa0            \xc2\xa0\n                             \xc2\xa0\n                    \xc2\xa0\xc2\xa0\n                    \xc2\xa0\n                         \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n\n        \xc2\xa0            \xc2\xa0\n            \xc2\xa0\n\n\n\n\n17\xc2\xa0\n\n\xc2\xa0\n\x0c\xc2\xa0\n\n\xc2\xa0     \xc2\xa0\n\n\n\n\n18\xc2\xa0\n\n\xc2\xa0\n\x0cTable 5. Additional Improper Settings in\n\nChecklist   NIST Requirement (Full Quotation)\xc2\xa0   OIG Assessment Results       Remediation\xc2\xa0Plan\xc2\xa0/\xc2\xa0Justification\xc2\xa0\nCheck #\n\n    \xc2\xa0                                                                                                                                     \xc2\xa0\n                                                                                                                                                  \xc2\xa0\n                                                                                                                                                      \xc2\xa0\n                                                                                                                                  \xc2\xa0\n                                                                                                                                   \xc2\xa0\n                                                                                                                  \xc2\xa0\n                                                                          \xc2\xa0\n\n    \xc2\xa0                                                                                                                                                 \xc2\xa0\n                                                                                                                                      \xc2\xa0\n                                                                                                                                                      \xc2\xa0\n                                                                                                 \xc2\xa0\n\n                                                                                                                                                      \xc2\xa0\n                                                                                                                                              \xc2\xa0\n                                                                                                                              \xc2\xa0\n                                                                                                                          \xc2\xa0\n                                                                                            \xc2\xa0\xc2\xa0\n\n                                                                                                                                              \xc2\xa0\n                                                                                                                      \xc2\xa0\n\n    \xc2\xa0                                                                                                                         \xc2\xa0\n                                                                                                                                  \xc2\xa0\n                                                                                      \xc2\xa0\n\n\n\n\n19\xc2\xa0\n\n\xc2\xa0\n\x0c      \xc2\xa0               \xc2\xa0\n                  \xc2\xa0\n\n\n\n\n      \xc2\xa0\n\n\n\n\n          \xc2\xa0\n\n      \xc2\xa0\n\n\n\n\n\xc2\xa0             \xc2\xa0\n\n20\xc2\xa0\n\n\xc2\xa0\n\x0cTable 6. NIST Security Control Assessment Deficiencies\n\nControl\xc2\xa0 NIST Assessment     NIST Assessment Results (Full   OIG Comments   Remediation\xc2\xa0Plan\xc2\xa0/\xc2\xa0Justification\xc2\xa0\n         Procedure (Full     Quotation)\xc2\xa0\n         Quotation)\xc2\xa0\n\n                                                                                                                                                                 \xc2\xa0\n                                                                                                                                                         \xc2\xa0\n\xc2\xa0\n                                                                                                                                             \xc2\xa0\n                                                                                                                    \xc2\xa0\xc2\xa0\n                                                                                                                                                         \xc2\xa0\n                                                                                                                                         \xc2\xa0\n                                                                                                                                                 \xc2\xa0\n                                                                                                                                                     \xc2\xa0\n                                                                                                                                     \xc2\xa0\n                                                                                                                             \xc2\xa0\n                                                                                                      \xc2\xa0\n\n                                                                                                                                 \xc2\xa0\n                                                                                                                \xc2\xa0\n\n                                                                                                                                                                     \xc2\xa0\n                                                                                                                                                 \xc2\xa0\n                                                                                                                                                         \xc2\xa0\n                                                                                                                                                             \xc2\xa0\n                                                                                                                                                                     \xc2\xa0\n                                                                                                                         \xc2\xa0\n                                                                                                                                                 \xc2\xa0\n                                                                                             \xc2\xa0\n\n                                                                                                                                                         \xc2\xa0\n                                                                                                                                             \xc2\xa0\n                                                                                                                                                     \xc2\xa0\xc2\xa0\n                                                                                                                                                                 \xc2\xa0\n21\xc2\xa0\n\n\xc2\xa0\n\x0c                                \xc2\xa0\n                                    \xc2\xa0\n                                \xc2\xa0\n                                        \xc2\xa0\n                            \xc2\xa0\n                      \xc2\xa0\xc2\xa0\xc2\xa0\n\n                                    \xc2\xa0\n\xc2\xa0                     \xc2\xa0\n                                    \xc2\xa0\n                  \xc2\xa0\n              \xc2\xa0\n\n\n\n      \xc2\xa0\n\n\n\n\n          \xc2\xa0\n\n\n\n\n22\xc2\xa0\n\n\xc2\xa0\n\x0c              \xc2\xa0\n\xc2\xa0         \xc2\xa0\n      \xc2\xa0\n\n\n\n\n23\xc2\xa0\n\n\xc2\xa0\n\x0c          \xc2\xa0\n\n\xc2\xa0\n\n\xc2\xa0     \xc2\xa0\n\n\n\n\n24\xc2\xa0\n\n\xc2\xa0\n\x0cTable 7. Controls Lacking Results and Supporting Evidence of Assessments for Other Systems\xc2\xa0\n\nControl\xc2\xa0Number\xc2\xa0            ASD\xc2\xa0Applications\xc2\xa0Inheriting\xc2\xa0   NIST\xc2\xa0System(s)\xc2\xa0             Remediation\xc2\xa0Plan\xc2\xa0/\xc2\xa0Justification\xc2\xa0\n                           Controls\xc2\xa0                      Implementing\xc2\xa0the\xc2\xa0Control\xc2\xa0\n\n                      \xc2\xa0              \xc2\xa0                                                                                        \xc2\xa0\n                                                                                                                          \xc2\xa0\n          \xc2\xa0                               \xc2\xa0                                                                   \xc2\xa0\n      \xc2\xa0                                   \xc2\xa0\n\n              \xc2\xa0                           \xc2\xa0\n\n\n\n                                                                                  \xc2\xa0\n\n      \xc2\xa0                                   \xc2\xa0\n\n                  \xc2\xa0                       \xc2\xa0\n\n\n\n\n\xc2\xa0\n\n\xc2\xa0                           \xc2\xa0\n\n\n\n\n25\xc2\xa0\n\n\xc2\xa0\n\x0cTable 8. Vulnerabilities Identified by OIG Assessment of Selected Security Controls\n\nControl\xc2\xa0 Vulnerability\xc2\xa0           System\xc2\xa0           OIG\xc2\xa0Assessment\xc2\xa0Details\xc2\xa0           Remediation\xc2\xa0Plan/\xc2\xa0Justification\xc2\xa0\n                                  Component\xc2\xa0\n\n      \xc2\xa0                                                                                                                                                        \xc2\xa0\n                                           \xc2\xa0                                                                                                               \xc2\xa0\n                                                                                                                                                           \xc2\xa0\n                                                                                          \xc2\xa0\n\n                                                                                                                                                  \xc2\xa0\n                                                                                                                                                       \xc2\xa0\n                                                                                                                                                      \xc2\xa0\n                                                                                                                                     \xc2\xa0\xc2\xa0\n\n                                                                                                                                              \xc2\xa0\n                                                                                                                             \xc2\xa0\n\n\n\n\n                                                                                 \xc2\xa0\n\n\xc2\xa0         \xc2\xa0                                                                                                                               \xc2\xa0\n                                                                                                                                                               \xc2\xa0\n                                                                                                                                                      \xc2\xa0\n                                                                                                                                                  \xc2\xa0\n\n\n      \xc2\xa0                                                                               \xc2\xa0                                          \xc2\xa0\n                                           \xc2\xa0                                                                             \xc2\xa0\n\n                                                                                                                                                  \xc2\xa0\n                                                                                                                                                               \xc2\xa0\n                                                                                                                                      \xc2\xa0\n\n26\xc2\xa0\n\n\xc2\xa0\n\x0c                                                                        \xc2\xa0\xc2\xa0\n                                                          \xc2\xa0\n                                                               \xc2\xa0\n                                  \xc2\xa0\n\n                                                               \xc2\xa0\n          \xc2\xa0                                           \xc2\xa0\n                      \xc2\xa0                                                \xc2\xa0\n                                              \xc2\xa0\n                                                                   \xc2\xa0\n                                                      \xc2\xa0\n                                                               \xc2\xa0\n                                          \xc2\xa0\n                                                                       \xc2\xa0\xc2\xa0\n\n      \xc2\xa0                                           \xc2\xa0\n                                                                           \xc2\xa0\n                                                           \xc2\xa0\n                                                          \xc2\xa0\n                          \xc2\xa0\n\n\xc2\xa0             \xc2\xa0                                   \xc2\xa0\n                                                                           \xc2\xa0\n                  \xc2\xa0\n                                                               \xc2\xa0\n                                      \xc2\xa0\n\n\xc2\xa0             \xc2\xa0                                                    \xc2\xa0\n                      \xc2\xa0       \xc2\xa0\n\n\n\n\n27\xc2\xa0\n\n\xc2\xa0\n\x0c      \xc2\xa0                   \xc2\xa0\n                                       \xc2\xa0\n                               \xc2\xa0\n                              \xc2\xa0\n\n          \xc2\xa0                        \xc2\xa0\n              \xc2\xa0                        \xc2\xa0\n                      \xc2\xa0\n\n\n                  \xc2\xa0\n\n\xc2\xa0\n\n\n\n\n28\xc2\xa0\n\n\xc2\xa0\n\x0c'